Logstash - configuration with multiple sources

Elastic Stack Logstash
1

Hello,

I try to create a configuration in Logstash in order to have two index in elasticserach relation to two diferentes sources (two files), The configuration is:

input {
file {
path => "/etc/logstash/ficheros/disco*"
tag => "serverweb_disco"
sincedb_path => "/dev/null"
start_position => "beginning"
}
file {
path => "/etc/logstash/ficheros/conexiones*"
tag => "serverweb_conexiones"
sincedb_path => "/dev/null"
start_position => "beginning"
}
}
filter{
if "serverweb_disco" in [tag]{
grok{
match => {"message" => "%{DATA:Fecha},%{DATA:Nombre_Servidor},%{DATA:Particion_disco},%{DATA:Sistema_ficheros},%{NUMBER:Porcentaje_usado>
}
}else if "serverweb_conexiones" in [tag]{
grok{
match => {"message" => "%{DATA:Fecha},%{DATA:Nombre_Servidor},%{DATA:Estado},%{DATA:Conexion},%{NUMBER:Numero_conexiones}"}
}
}
}
output {
if "serverweb_disco" in [tag]{
elasticsearch {
hosts => ["http://192.168.1.23:9200"]
index => "serverweb-disco-%{+YYYY.MM.dd}"
}
}else if "serverweb_conexiones" in [tag]{
elasticsearch {
hosts => ["http://192.168.1.23:9200"]
index => "serverweb-conexiones-%{+YYYY.MM.dd}"
}
}
}

But when I start Logstash I have the following error:

warning: thread "Converge PipelineAction::Create" terminated with exception (report_on_exception is true):
LogStash::Error: Don't know how to handle Java::JavaLang::IllegalStateException for PipelineAction::Create<main>
create at org/logstash/execution/ConvergeResultExt.java:129
add at org/logstash/execution/ConvergeResultExt.java:57
converge_state at /usr/share/logstash/logstash-core/lib/logstash/agent.rb:370
[ERROR] 2020-10-14 02:08:12.046 [Agent thread] agent - An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle Java::JavaLang::IllegalStateException for PipelineAction::Create<main>"}
[FATAL] 2020-10-14 02:08:12.154 [LogStash::Runner] runner - An unexpected error occurred! {:error=>#<LogStash::Error: Don't know how to handle Java::JavaLang::IllegalStateException for PipelineAction::Create<main>>, :backtrace=>["org/logstash/execution/ConvergeResultExt.java:129:in create'", "org/logstash/execution/ConvergeResultExt.java:57:in add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:370:in `block in converge_state'"]}
[ERROR] 2020-10-14 02:08:12.227 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

I don't know if my configuration is correct or my way of using tag is the best or not. Can anyboday help me?

Thanks

2

You seem to be missing a closing double quote in the grok for serverweb_disco. Try setting log.level to debug, you might get a more informative error message.

3

Sorry I put a wrong configuration. My configuration is the following, and the error is the same as I posted.

input {
file {
path => "/etc/logstash/ficheros/disco*"
tag => "serverweb_disco"
sincedb_path => "/dev/null"
start_position => "beginning"
}
file {
path => "/etc/logstash/ficheros/conexiones*"
tag => "serverweb_conexiones"
sincedb_path => "/dev/null"
start_position => "beginning"
}
}
filter{
if "serverweb_disco" in [tag]{
grok{
match => {"message" => "%{DATA:Fecha},%{DATA:Nombre_Servidor},%{DATA:Particion_disco},%{DATA:Sistema_ficheros},%{NUMBER:Porcentaje_usado}"}
}
}else if "serverweb_conexiones" in [tag]{
grok{
match => {"message" => "%{DATA:Fecha},%{DATA:Nombre_Servidor},%{DATA:Estado},%{DATA:Conexion},%{NUMBER:Numero_conexiones}"}
}
}
}
output {
if "serverweb_disco" in [tag]{
elasticsearch {
hosts => ["http://192.168.1.23:9200"]
index => "serverweb-disco-%{+YYYY.MM.dd}"
}
}else if "serverweb_conexiones" in [tag]{
elasticsearch {
hosts => ["http://192.168.1.23:9200"]
index => "serverweb-conexiones-%{+YYYY.MM.dd}"
}
}
}

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.